Microsoft has disrupted a surge of Rhysida ransomware attacks in early October by revoking over 200 certificates used to sign fake Microsoft Teams installers.
The attacks were carried out by Vanilla Tempest, also known as VICE SPIDER or Vice Society, which used domains mimicking Microsoft Teams such as teams-install[.]top, teams-download[.]buzz, and teams-install[.]run to distribute malicious MSTeamsSetup.exe files that infected victims with the Oyster backdoor.
The campaign began in late September, using malvertising and SEO poisoning to push fake Microsoft Teams installers. These websites closely resembled the official Microsoft Teams download page, tricking users into downloading a signed malware loader instead of the legitimate app.
When executed, the fake installer deployed the Oyster malware, also known as Broomstick or CleanUpLoader, which granted attackers remote access to the system. This allowed them to steal files, execute commands, and drop additional malicious payloads.
Microsoft responded by revoking the abused certificates issued through SSL.com, DigiCert, and GlobalSign to prevent the malware from being trusted by Windows. According to Microsoft, Vanilla Tempest has been using the Oyster backdoor since June 2025, leveraging Trusted Signing to make their malicious files appear legitimate.
Vanilla Tempest is a financially motivated threat group that has been active since at least June 2021. The group focuses on deploying ransomware and stealing data for extortion. Over time, it has used various ransomware families, including BlackCat, Quantum Locker, and Zeppelin, but has recently shifted to primarily deploying Rhysida ransomware.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Previously known as Vice Society, the group has frequently targeted organizations in the education, healthcare, IT, and manufacturing sectors. In 2022, the FBI and CISA issued a joint advisory warning that Vice Society had disproportionately targeted the U.S. education sector after breaching the Los Angeles Unified School District, the second-largest school district in the United States.
